Description
Shakvaro Shield is a comprehensive WordPress security plugin designed to protect your site against the most common and advanced threats. It combines a Web Application Firewall (WAF), brute force protection, Two-Factor Authentication, file integrity monitoring, and a full suite of hardening checks into a single, well-organized package. Whether you run a personal blog or a high-traffic business site, Shakvaro Shield gives you enterprise-grade security without the complexity.
At the heart of Shakvaro Shield is a Web Application Firewall that loads via an auto-installed mu-plugin, allowing it to inspect and block malicious requests before WordPress and other plugins even begin to load. The firewall ships with six built-in rules covering SQL injection, cross-site scripting (XSS), directory traversal, file inclusion, and other common attack vectors. Alongside the WAF, Shakvaro Shield performs 15 security hardening checks and calculates an A-F health score so you can see your site’s security posture at a glance. Each check includes a one-click fix or clear remediation instructions, making it easy to bring your score up to an A.
Login security is where Shakvaro Shield truly shines. Brute force protection uses progressive lockouts that increase in duration with each failed attempt, effectively neutralizing automated attacks. Two-Factor Authentication supports any TOTP-compatible authenticator app and generates single-use backup codes so users are never locked out. You can also set a custom login URL to hide wp-login.php entirely, enforce password strength policies, and add CAPTCHA verification using reCAPTCHA v3, Cloudflare Turnstile, or a lightweight math-based fallback that requires no external service.
Shakvaro Shield is built for performance. The entire plugin is under 1 MB, uses PSR-4 autoloading so classes are only loaded when needed, and adds zero JavaScript or CSS to your site’s frontend. File integrity monitoring verifies WordPress core files and installed plugins against official ww.wp.xz.cn checksums, alerting you to unauthorized changes. Every security-relevant action is recorded in a searchable activity log with over 30 event types, and email notifications use intelligent throttling and optional daily digests so you stay informed without inbox overload. A guided setup wizard walks you through initial configuration in under two minutes.
External services
Shakvaro Shield can connect to the external services below. All are opt-in and default OFF unless marked “automatic”. For each: what is sent and the provider’s Terms/Privacy. Disable any opt-in service by un-checking it in the matching admin tab or leaving its API key empty.
-
Shakvaro Network Intel (own SaaS, optional) – aggregated IP reputation/blocklist + opt-in failed-login digests. Sends: SHA-256 hash of the site URL, plugin version, offending IP, hashed username. No plaintext usernames/emails/passwords/content. Endpoints: https://api.shakvaro.com/network-intel/{blocklist,report,digest}. Terms: https://shakvaro.com/terms – Privacy: https://shakvaro.com/privacy
-
Shakvaro WP Insights (own SaaS, optional, OFF by default, two-tier consent) – opt-in usage analytics. Sends: WP/PHP/MySQL versions, theme, locale, multisite, server, plugin version, feature on/off states + coarse buckets (hardening grade, active rule count, CAPTCHA provider), and a one-way hash of site URL+title. No IPs, usernames, emails, passwords, keys, or content. Opt out any time from Settings -> Data Sharing (sends a deletion request). Endpoint: https://track.shakvaro.cloud. Terms: https://shakvaro.com/terms – Privacy: https://shakvaro.com/wp-insights/privacy
-
ww.wp.xz.cn checksums (automatic, file integrity) – sends WP version/locale + plugin/theme slug+version (public). Endpoints: https://api.ww.wp.xz.cn/core/checksums/1.0/, https://downloads.wp.xz.cn/plugin-checksums/. Privacy: https://ww.wp.xz.cn/about/privacy/
-
Have I Been Pwned – Pwned Passwords (optional) – sends only the first 5 chars of a SHA-1 password hash (k-anonymity); the plaintext password never leaves the site. Endpoint: https://api.pwnedpasswords.com/range/. Privacy: https://haveibeenpwned.com/Privacy
-
Cloudflare Turnstile (optional CAPTCHA) – sends the Turnstile token, user IP, and site secret key. Endpoint: https://challenges.cloudflare.com/turnstile/v0/siteverify. Terms: https://www.cloudflare.com/website-terms/ – Privacy: https://www.cloudflare.com/privacypolicy/
-
Google reCAPTCHA v3 (optional CAPTCHA) – sends the reCAPTCHA token, user IP, and site secret key; Google’s script also collects browser signals. Endpoint: https://www.google.com/recaptcha/api/siteverify. Terms: https://policies.google.com/terms – Privacy: https://policies.google.com/privacy
-
WPScan (optional vulnerability data) – sends installed plugin slugs and your WPScan API token. Endpoint: https://wpscan.com/api/v3/plugins/. Terms: https://wpscan.com/terms/ – Privacy: https://automattic.com/privacy/
-
Patchstack (optional vulnerability data) – sends your Patchstack API key. Endpoint: https://patchstack.com/database/api/v2/vulnerabilities. Privacy: https://patchstack.com/privacy-policy/
-
NIST NVD (optional CVE enrichment) – sends a public CVE identifier. Endpoint: https://services.nvd.nist.gov/rest/json/cves/2.0. Privacy: https://www.nist.gov/privacy-policy
-
Google Safe Browsing (optional URL reputation) – sends the URLs being checked and your Safe Browsing API key. Endpoint: https://safebrowsing.googleapis.com/v4/threatMatches:find. Terms: https://policies.google.com/terms – Privacy: https://policies.google.com/privacy
-
PagerDuty Events (optional alerts) – sends an alert payload (title, severity, summary) and the routing key. Endpoint: https://events.pagerduty.com/v2/enqueue. Terms: https://www.pagerduty.com/terms-of-service/ – Privacy: https://www.pagerduty.com/privacy-policy/
-
Datadog Logs (optional log forwarding) – sends event log entries and the API key. Endpoint: https://http-intake.logs..datadoghq.com/api/v2/logs. Terms: https://www.datadoghq.com/legal/terms/ – Privacy: https://www.datadoghq.com/legal/privacy/
-
ip-api.com (optional GeoIP fallback) – sends the visitor IP address. Endpoint: http://ip-api.com/json/. Terms/Privacy: https://ip-api.com/docs/legal
-
Sucuri SiteCheck (optional URL reputation) – sends the URL being checked. Endpoint: https://sitecheck.sucuri.net/api/v3/. Terms: https://sucuri.net/terms/ – Privacy: https://sucuri.net/privacy/
Screenshots
Installation
- Upload the plugin folder to the
/wp-content/plugins/directory, or install the plugin directly through the WordPress plugin screen by searching for “Shakvaro Shield”. - Activate the plugin through the “Plugins” screen in WordPress.
- Navigate to Shakvaro Shield > Dashboard in the admin menu. The setup wizard will launch automatically on first activation.
- Follow the wizard steps to configure hardening options, firewall rules, login security settings, and notification preferences.
- Once the wizard is complete, Shakvaro Shield will automatically install its mu-plugin component for early firewall loading. No manual file copying is required.
- Visit the Dashboard to review your security health score and address any recommended actions.
FAQ
-
What are the minimum PHP and WordPress versions required?
-
Shakvaro Shield requires PHP 7.4 or higher and WordPress 6.2 or higher. PHP 8.0+ is recommended for the best performance. The plugin is tested up to WordPress 6.7 and PHP 8.3.
-
Does Shakvaro Shield slow down my site?
-
No. Shakvaro Shield is designed with performance as a priority. It adds zero JavaScript or CSS to your frontend pages, uses PSR-4 autoloading so only the classes needed for each request are loaded, and the entire plugin weighs under 1 MB. The mu-plugin firewall component is extremely lightweight and adds negligible overhead to request processing.
-
What is the mu-plugin and why does Shakvaro Shield install one?
-
The mu-plugin (must-use plugin) is a small firewall loader that WordPress executes before regular plugins. This allows Shakvaro Shield’s Web Application Firewall to inspect and block malicious requests at the earliest possible stage, before any vulnerable plugin code has a chance to run. The mu-plugin is installed and removed automatically when you activate or deactivate Shakvaro Shield.
-
Can I use Shakvaro Shield alongside other security plugins?
-
Shakvaro Shield is designed to be a complete security solution, so running it alongside another full-featured security plugin (such as Wordfence or Sucuri) is not recommended and may cause conflicts, especially with firewall or login protection features. However, Shakvaro Shield can coexist with specialized plugins that handle only backups, uptime monitoring, or spam filtering.
-
How does Two-Factor Authentication work?
-
Shakvaro Shield supports Time-Based One-Time Password (TOTP) authentication, which is compatible with apps like Google Authenticator, Authy, and 1Password. When 2FA is enabled, users scan a QR code during setup and then enter a six-digit code from their authenticator app each time they log in. Ten single-use backup codes are also generated so users can regain access if they lose their authenticator device.
-
What happens if I get locked out of my site?
-
If you are locked out due to brute force protection, the lockout will expire automatically after the configured duration. If you have lost access to your 2FA device, you can use one of your backup codes to log in. As a last resort, you can disable Shakvaro Shield by connecting to your server via FTP or file manager and renaming the plugin folder (e.g., to
shakvaro-shield-disabled) and removing the filewp-content/mu-plugins/shakvaroshield-firewall.php. -
Where are activity logs stored?
-
Activity logs are stored in a custom database table within your WordPress database. This ensures fast querying and filtering without creating files on the filesystem. Logs can be exported to CSV from the Shakvaro Shield > Tools page. By default, log entries older than 90 days are automatically purged to keep your database lean.
-
How do email notifications work?
-
Shakvaro Shield sends email alerts for critical security events such as blocked attacks, failed login attempts exceeding your threshold, file integrity changes, and lockouts. To prevent notification fatigue, emails are throttled so that repeated events of the same type are batched. You can also enable a daily digest that summarizes all security activity from the past 24 hours in a single email.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Shakvaro Shield” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Shakvaro Shield” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.2
- Updated the bundled Shakvaro WP Insights telemetry SDK to 1.2.7.
- Hardened the uninstall routine against a fatal error (“Cannot redeclare class”) that could occur when another Shakvaro plugin sharing the same telemetry SDK was installed: the SDK class is now loaded with a class_exists() guard before use.
1.0.1
- Security Headers hardening check: replaced the one-click fix with clear manual instructions (Apache .htaccess / nginx add_header). PHP-set headers can be stripped by a reverse proxy or CDN, or skipped when SSL terminates upstream, so server-level configuration is the reliable fix. The check itself is unchanged and works on any server (it inspects the live HTTP response).
- Added a Shakvaro credit: a “Support” link on the Plugins screen and a “built and maintained by Shakvaro” footer on the plugin’s admin pages.
1.0.0
- Initial release
- Web Application Firewall with 6 built-in rules (SQLi, XSS, directory traversal, file inclusion, PHP code injection, user enumeration)
- 15 security hardening checks with A-F health score grading
- Brute force protection with progressive lockouts
- Two-Factor Authentication (TOTP + backup codes)
- File integrity monitoring (core + plugin verification against ww.wp.xz.cn checksums)
- Activity logging with 30+ event types
- Email notifications with intelligent throttling and daily digest option
- Custom login URL to hide wp-login.php
- CAPTCHA support (reCAPTCHA v3, Cloudflare Turnstile, math fallback)
- Password strength policy enforcement
- Setup wizard for first-time configuration
- Tools: log export to CSV, system diagnostics report
- Opt-in anonymous usage analytics (Shakvaro WP Insights) — OFF by default, requires explicit consent, fully documented under External Services